Manualshelf

SQL/MX 2.x Installation and Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
101102103104105106107108109110
Planning Database Security and Recovery
HP NonStop SQL/MX Installation and Management Guide523723-004
5-5
Safeguard Security
Safeguard process-protection records can control who is authorized to use specific
process names.
Safeguard access control lists cannot be used to protect OSS files. Access to OSS
files is controlled by OSS file-permission bits.
User Administration
Authentication records for all system users, including those who work in the OSS
environment, must be added and managed by using SAFECOM USER commands.
Some attributes defined in a user-authentication record apply exclusively to the OSS
environment. These attributes include the user’s primary group, initial working
directory, initial program, and initial program type.
A user’s initial working directory in the OSS environment is specified by the
INITIALDIRECTORY attribute in the authentication record for that user. The initial
directory is where the user is placed in the OSS environment when the osh command
is executed.
File-Sharing Groups
File-sharing groups are particularly important in the OSS environment. Each user has a
group list that contains the names of all groups to which that user belongs. When the
user attempts to access a file, the file’s group permissions are granted to that user if
the user’s group list includes the name of the file’s group. If the file’s group does not
appear on the user’s group list, the group permissions are denied, and the user is
granted the permissions specified for all other users.
File-sharing groups are created and managed by using SAFECOM GROUP
commands.
Volume Create Authority
Each time an OSS file is created, the Safeguard software checks whether a Safeguard
volume-protection record exists for the physical volume on which the file is to reside. If
a such a volume-protection record exists, the user creating the file must have create
(C) authority on the access control list for that volume. If the user does not have create
authority on that access control list, the Safeguard software denies the file-creation
attempt.
Enabling OSS Safeguard Auditing
SCF turns on the audit-enabled attribute for the OSS Name Server. SAFECOM turns
on the AUDIT-CLIENT-SERVICE and sets AUDIT-PROCESS-ACCESS-PASS and
AUDIT-PROCESS-ACCESS-FAIL. For more information about OSS security auditing,
see the Open System Services Management and Operations Guide.